Processors within computing devices often include privileged and unprivileged modes. Software running in a privileged mode is generally able to execute every instruction supported by the processor. Typically, the operating system kernel runs within the privileged mode, which is sometimes referred to as “Ring 0”, “Supervisor Mode”, or “Kernel Mode”.
In contrast, some software running on the computing device may be constrained to run only in an unprivileged mode. This mode generally allows the software to execute a subset of the processor's instructions. An operating system can thus use the unprivileged mode to limit the activity of software running in this mode. For example, software might be restricted to a particular subset of the computing device's memory. This unprivileged mode is sometimes known as “Ring 3” or “User Mode”. In general, computing-device user applications operate in this unprivileged mode.
If a software application operates in this unprivileged mode, the application may request access to a portion of memory that cannot be directly accessed from the unprivileged mode. The application may, for example, wish to perform an operation in this portion of memory such as “create a new file”. This request is typically routed through a call gate or other system call instruction, which transitions this unprivileged-mode code into privileged-mode code. This transition ensures that the unprivileged mode does not have direct access to memory that is designated as accessible from privileged mode only.
In accordance with these modes, an author of malicious code may access the privileged mode and install malware that changes the behavior of the computing device. This malware may, for instance, alter the location of files, hide files, modify files, change keystrokes, or the like. Some of this malware may comprise a “rootkit”, which not only changes the computing device's behavior but also hides itself within the privileged mode's memory. Antivirus applications running on the computing device may accordingly fail to discover this hidden rootkit, thus allowing the malware to continue its malicious deeds. Furthermore, such malware may patch over an operating system's built-in protection system, as discussed below.
A malware author may access the privileged mode and load malware onto a computing device in a variety of ways, including by tricking the computing-device user into unknowingly installing the malware onto the user's own computing device. As a result, current operating systems often employ one or more protection systems to detect such malware. These protection systems generally monitor certain important operating-system resources to detect any changes to these resources. If such a protection system detects such a change, then the protection system may decide that the particular resource has been infected by malware. These protection systems may also provide, to the user's antivirus application, a list of applications currently resident in the unprivileged mode's memory. Of course, if the malware was successful in hiding, then it will not appear on the provided list. Furthermore, if the malware was successful in patching the protection system, then the protection system may fail to run or otherwise fail to detect any changes to the important operating-system resources.
While these protection systems can be effective, they can also suffer from a few weaknesses. First, these systems often rely on obscurity and are thus vulnerable to exploitation if identified by the malware. That is, if the malware deciphers the identity of and locates the protection system, it may disable the protection system itself. The malware author may also instruct others as to how to do the same. Furthermore and related to the first, these protection systems generally operate in a same protection domain as that of the operating system (e.g., within the privileged mode itself). Therefore, the protection system is itself subject to attack if the malware gains access to the privileged mode and is able to unmask the obscured protection system. Finally, these protection systems initialize at the same time as the operating system or privileged mode. Therefore, if the malware or malware author gains control of the computing device before this initialization, it may prevent the protection system from initializing.